Applying ACL to vty in IOS-XR

Unanswered Question
May 12th, 2011

Hi.

I am trying to apply acl:s to vty on a ASR9k router.

I am doing the following, and this works...

! IOS-XR
!-------
ipv4 access-list VTY-ACL
 10 permit ipv4 10.0.0.0 0.0.0.255 any
 20 deny   ipv4 any any log
!
ipv6 access-list VTY-ACL
 10 permit ipv6 2001:DB8::/32 any
 20 deny   ipv6 any any log
!
vty-pool default 0 10
line default
 access-class ingress VTY-ACL
!

The ssh tcp port is still open from any host though. I am not beeing able to log in from other host but the ones specified in the acl:s, but it is possible to portscan tcp 22 from anyhost.

Any suggestions? When applying ACL directly on mgmt interface the port gets blocked.

Regards

Andreas

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Bryan Garland Fri, 06/03/2011 - 11:04

Andreas,

This is not the preferred way to do this for the exact reasons you describe.  The better way to do this is via MPP, management plane protection.  This allows us to program the hardware via LPTS to drop unwanted requests in hardware instead of having to have software deal with it.

http://www.cisco.com/en/US/docs/routers/asr9000/software/security/configuration/guide/scasr9kmpp.html

Thanks,

Bryan

Actions

Login or Register to take actions

This Discussion

Posted May 12, 2011 at 7:14 AM
Stats:
Replies:2 Avg. Rating:
Views:1564 Votes:0
Shares:0
Tags: asr9k, ios-xr
+

Related Content

Discussions Leaderboard